Notification to the Polish Supervisory Authority

A controller whose main establishment is in another country and which has a branch in Poland
is obliged to notify the Polish Supervisory Authority of the designation of a DPO via the branch
office if such a DPO has been designated. Such designation should be communicated to the Polish
Supervisory Authority via the website https://uodo.gov.pl/pl

Statement by the President of the Personal Data Protection Office on coronavirus

In connection with numerous questions on the processing of health data as a result of activities aimed at preventing spread of COVID-19 virus, the President of the Personal Data Protection Office (UODO) informs that the issues related thereto are regulated in the specific legal provisions, including in particular the so called Special Act. The provisions on personal data protection cannot be considered as an obstacle to conducting the activities with regard to fighting the virus – states the President of the UODO.

The indicated legal provisions do not conflict with the principles of data processing and do not infringe the GDPR.

They provide tools for undertaking specific activities by the employers that result both from the recommendations of the Chief Sanitary Inspector and the Prime Minister.

Article 17 of the Special Act on preventing COVID-19 sets forth that the Chief Sanitary Inspector or the voievodeship sanitary inspector acting on its behalf can issue to employers among others decisions imposing the obligation to undertake specific prevention or inspection actions and cooperation with other public administration authorities and State Sanitary Inspection authorities. Within the framework of the activities undertaken by the employers, they in particular have to stay abreast of the communications by the State Sanitary Inspection.

The Prime Minister at the request of the voievode, after having informed the minister of economy, shall have the right to issue instructions to the entrepreneurs in connection with preventing COVID-19. These instructions, issued in the form of an administrative decision, shall be implemented immediately upon its delivery or announcement and do not require justification.

These legal provisions correspond to the GDPR provisions which also provide for the situations related to the protection of health and preventing spread of infectious diseases (Art. 9(2)(i) and Art. 6(1)(d).

Pursuant to recital 46 of the GDPR the processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject, for example where the processing is necessary for humanitarian purposes, including monitoring epidemics and their spread.

The President of the UODO, having regard to the seriousness of the situation, reminds that any problems related to combating and preventing spread of coronavirus, in the light of the above provisions, shall be in the first place reported to the Chief Sanitary Inspector.

Therefore, the supervisory authority asks all the persons interested in details on the implementation of activities related to fighting the coronavirus to address in this case the Chief Sanitary Inspector as the competent authority.